zentilia - Fotolia
The rate at which companies are moving portions of their data, operations and hosting into the cloud is a hot topic in today's rapidly changing IT environments. With those moves, however, come all kinds of concerns -- ranging from shadow IT to costs, and lack of visibility -- and of those, security is the biggest challenge. To that end, networking pros need to perform a careful examination of cloud and security procedures and policies when deploying a cloud service.
There's no question that the cloud has made an impact on businesses worldwide. According to a November report by CompTIA, more than 90% of businesses now report some sort of involvement in the cloud. In addition, more than 60% say cloud services of one type or another represent approximately one-third of their IT infrastructures. Whether those services are as basic and pervasive as Dropbox or as scaled out as Amazon Web Services, Azure or Rackspace is immaterial. What is clear is that the cloud and security discussion is not going away anytime soon.
Debate over the integrity of cloud services to enterprises
But this growing reliance on cloud services does bring up an intriguing question: Just how secure are these services or a company's access to them? Largely, cloud hosting providers are – anecdotally, at least -- more secure than the average enterprise customer, simply because they can afford more highly qualified security personnel. It's only now that the Anthem, Sony, Target, Home Depot, et al, hacks have become mainstream news that CIOs are waking up to the reality of the risk they must mitigate in order to safeguard company data. Security personnel at the average enterprise customer have, at least up until recently, been considered a necessary evil at best and a pain-in-the-ass impediment to businesses at worst. Cloud providers, however, have recognized the threat from the beginning and are therefore typically ahead of most network owners.
One pervasive problem in cloud security occurs when lines of business take matters into their own hands after deciding traditional IT is too slow, too cumbersome to deal with or too uninterested to help them meet their needs. As a result, companies find themselves approving expenses that can run into the tens of thousands of dollars per month on services they believe their own IT departments are either incapable of delivering or willing to provide.
Majority of companies unaware of applications running on their networks
According to a recent Cloud Security Alliance survey of IT directors and CIOs, nearly 72% conceded they didn't know the number of shadow IT apps running within their organizations. The survey also reflected a shift in where data security decisions are being made -- from the IT room to the boardroom.
Considering that sensitive company data is leaking to third-party systems faster than what the lyrics paint in poor Eliza's bucket, it's no wonder that the overall security posture of most companies has moved from the IT staff level and into the boardroom. Damage from leaked data can run into the millions of dollars, and even more in reputation costs.
Another challenge in providing some level of cloud security is that of transport. Some services like AWS have partnered with companies like Zayo to provide direct, private, dark fiber optical connections into the cloud. These optical services can be easily encrypted and are all but impervious to interception. Others, however, rely on traditional Layer 3 connections and are much weaker and open to man-in-the-middle attacks, particularly when run over the public Internet.
The first step, then, is for executives to not just develop a very deliberate and informed approach to cloud security and awareness, but to also get a handle on shadow IT in general. Until IT departments move from just providing transport to providing true business enablement, however, the notion of cloud and security is likely to continue to be a pervasive problem for enterprise networks. IT departments must become agile enough to truly be a service to their customers; that will help forestall users from surreptitiously moving services into the cloud, thus eliminating the possibility that those services will become gaping holes in the security of most networks. If you force your users to build castles in the cloud, you are guaranteeing you'll be under siege indefinitely.
Tackling cloud security issues
Understanding IT's role in compliance